docs: clarify supply-chain warning triage

[seonghobae]

Summary

• Extend the BandScope supply-chain warning remediation skill for GitHub Actions Node.js runtime warnings.
• Document repo-owned vs platform-owned action warning handling and Strix finding triage for [Security] Post-PR #191 GitHub Actions warning and branch-gate follow-through #192.
• Preserve security-gate requirements and avoid broad warning filtering.

Verification

• python3 scripts/checks/verify_docs.py
• python3 scripts/checks/verify_supply_chain.py

Security Notes

• Documentation-only change; no runtime, dependency, or secret-handling behavior changed.
• Reinforces SHA/action pinning and explicit evidence for Strix/security findings.

Refs #192

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 86b48355-dd15-4d6f-95ec-649fa5212d57

📥 Commits

Reviewing files that changed from the base of the PR and between 36c2080 and a3bff8b.

📒 Files selected for processing (1)

• docs/agents/skills/bandscope-supply-chain-warning-remediation/SKILL.md

---

📝 Walkthrough

Summary by CodeRabbit

• 문서화
  • Strix를 공식 경고 출처로 추가하고, 증거 수집 항목(발견 ID·영향 경로·규칙명·실행 URL·커밋 SHA 등)과 증거 기반 처리(수정·파일 단위 반박·범위 한정 후속 이슈)를 명확히 함
  • GitHub Actions Node.js 런타임 경고 대응을 로컬 액션(./)과 외부 참조(owner/repo@ref)로 구분해 소유자·참조 추적 및 적절한 업데이트 절차를 규정
  • 플랫폼 소유 액션 경고는 추적용 증거로 처리하되, 저장소에서 수정 불가능한 경우 병합 차단으로 간주하지 않고, 고정되지 않은 기본 브랜치는 예외 신호로 취급하도록 규칙 추가

Walkthrough

BandScope 공급망 경고 완화 SKILL 문서에 Strix를 1차 경고 소스로 추가하고 Strix 전용 증거 필드 요구사항과 GitHub Actions Node.js 런타임 지원 중단 및 플랫폼 소유 액션 경고 처리 규칙을 명확히 정의했습니다.

Changes

Cohort / File(s)	Summary
BandScope 공급망 경고 완화 문서 docs/agents/skills/bandscope-supply-chain-warning-remediation/SKILL.md	Strix를 1차 경고 소스로 명시; Strix 전용 증거 필드(발견 ID, 영향 경로, 규칙 이름, 실행 URL, 현재 HEAD SHA) 추가. Strix 라벨/툴명을 자동 병합 차단으로 처리하지 않음(발견 수정·파일 반박·후속 이슈로 대응). GitHub Actions Node.js 런타임 지원 중단: 로컬 ./ 액션은 로컬 코드/런타임 업데이트, 외부 owner/repo@ref 액션은 유지되는 ref로 업그레이드 후 불변 커밋 SHA로 핀(pinning). 플랫폼 소유 액션(예: Dependabot) 경고는 실행 URL·액션 소유자/레퍼런스로 추적하되 레포 제어로 해결 불가 시 병합 차단에서 제외; unpinned @main은 예외 신호로 취급.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10분

Possibly related PRs

• fix: enforce OSSF Scorecard publish constraints #190 — 동일 SKILL 문서 대상 변경과 겹치며 Strix 및 Actions 경고 처리 규칙 보완과 직접적 연관이 있음.

시

🐰✨ 깃발 든 토끼가 달려가네,
증거 모아 한 줄씩 그려가네,
액션 주인 묻고 레퍼런스 꽉 고정하네,
플랫폼의 울림은 추적하되 막지 않네,
문서 정원에 규칙 한 송이 피었네.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	제목은 풀 리퀘스트의 주요 변경 사항인 공급망 경고 분류 문서화를 명확하게 요약합니다.
Description check	✅ Passed	설명은 문서 변경 사항, 검증 방법, 보안 참고 사항 등 변경 사항과 관련된 정보를 포함하고 있습니다.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch stepwise/postmerge-strix-warning

---

_{Review rate limit: 4/5 reviews remaining, refill in 12 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/agents/skills/bandscope-supply-chain-warning-remediation/SKILL.md`:
- Line 24: 문장 5번(“Fix the root cause...”)을 두 가지 케이스로 분리해 수정하세요: repo-owned(로컬 ./
액션)일 경우에는 “trace owner/ref and update runtime or action code”로 명시해 런타임/코드 업데이트
절차를 권고하고, repo-selected(외부)일 경우에는 “trace owner/ref and upgrade to a maintained
action ref, pin to a specific SHA”로 명시해 유지되는 ref와 SHA pin을 적용하도록 지시하세요; 기존의 “Do
not use broad log filtering...” 경고는 그대로 유지하되 각 케이스 설명에 맞는 구체적 권장 조치(업데이트 단계 또는
pinning 방법)를 간단히 덧붙이세요.
- Line 37: The example using "github/dependabot-action@main" conflicts with the
repository's immutable SHA pinning policy; update the SKILL.md text to either
replace the example with a SHA-pinned reference (e.g.,
"github/dependabot-action@<sha>") or explicitly state that unpinned refs like
"github/dependabot-action@main" are only to be tracked as exceptions (not
allowed by default) to avoid policy confusion; edit the sentence containing
"github/dependabot-action@main" and add a short note pointing to
docs/security/dependency-policy.md for the SHA pinning requirement.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0f8dfae9-f0a0-4f15-9881-fa9eebc187d1

📥 Commits

Reviewing files that changed from the base of the PR and between 33d5fd8 and 6d74c24.

📒 Files selected for processing (1)

• docs/agents/skills/bandscope-supply-chain-warning-remediation/SKILL.md

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

docs/agents/skills/bandscope-supply-chain-warning-remediation/SKILL.md (1)

24-24: 🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

"repo-owned" 용어의 명확한 정의를 추가하면 실행 가능성이 높아집니다.

현재 "repo-owned"와 "repo-selected external code"를 구분하고 있지만, "repo-owned"가 무엇을 의미하는지 명시적이지 않습니다. 로컬 .github/actions/ 경로의 액션인지, 리포지토리가 소유한 다른 리포지토리의 액션인지 불분명합니다.

♻️ 명확성 개선 제안

-5. Fix the root cause. For GitHub Actions Node.js runtime deprecation warnings, trace the exact action owner/ref first. If the action is repo-owned, update the action runtime or action code. If the action is repo-selected external code, upgrade to a maintained action ref and pin it to a specific commit SHA. Do not use broad log filtering, generic quiet flags, or gate removal.
+5. Fix the root cause. For GitHub Actions Node.js runtime deprecation warnings, trace the exact action owner/ref first. If the action is repo-owned (local `.github/actions/` path), update the action runtime or action code in-repo. If the action is repo-selected external code, upgrade to a maintained action ref and pin it to a specific commit SHA. Do not use broad log filtering, generic quiet flags, or gate removal.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/agents/skills/bandscope-supply-chain-warning-remediation/SKILL.md` at
line 24, Clarify the term "repo-owned" used in the step "Fix the root cause." by
adding a brief definition that distinguishes local actions under
.github/actions/, actions hosted in the same organization/repository (internal
repos), and third-party external actions; reference the existing term
"repo-selected external code" and explicitly state which cases count as
"repo-owned" (e.g., local .github/actions/ files and actions maintained in the
same organization/repo) so readers know whether to update action runtime/code or
pin to an external SHA.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/agents/skills/bandscope-supply-chain-warning-remediation/SKILL.md`:
- Line 37: The sentence in SKILL.md conflates three policies (track
platform-owned action warnings, treat unpinned refs like
`github/dependabot-action@main` as exception signals, and enforce SHA pinning
per docs/security/dependency-policy.md) into one long sentence; split it into
2–3 clear sentences: 1) state that GitHub/platform-owned action warnings (e.g.,
`github/dependabot-action@<sha>`) should be tracked with run URL, action
owner/ref, and follow-up owner and are not merge blockers when no
repo-controlled fix exists, 2) explicitly call out that unpinned refs (e.g.,
`github/dependabot-action@main`) should be tracked as exception signals rather
than allowed defaults, and 3) reaffirm that repo-selected actions must still
follow the SHA pinning rule in docs/security/dependency-policy.md; keep the
`github/dependabot-action@<sha>` and `github/dependabot-action@main` examples to
preserve clarity.
- Line 38: The sentence "actionable remediation signals, not blockers by name
alone" in SKILL.md is ambiguous; update that line to explicitly state that Strix
findings should not automatically block merges based solely on the tool's name
and that one of three actions is required: fix the finding, provide file-level
evidence rebutting it, or open a follow-up issue with acceptance criteria and
Security Notes; locate the sentence in SKILL.md and replace it with a clearer
phrasing that mentions "do not automatically block merges based only on a Strix
label/name" and enumerates the three permitted responses (fix / rebut with
evidence / create follow-up).

---

Duplicate comments:
In `@docs/agents/skills/bandscope-supply-chain-warning-remediation/SKILL.md`:
- Line 24: Clarify the term "repo-owned" used in the step "Fix the root cause."
by adding a brief definition that distinguishes local actions under
.github/actions/, actions hosted in the same organization/repository (internal
repos), and third-party external actions; reference the existing term
"repo-selected external code" and explicitly state which cases count as
"repo-owned" (e.g., local .github/actions/ files and actions maintained in the
same organization/repo) so readers know whether to update action runtime/code or
pin to an external SHA.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 27d544f7-0551-4cbc-8215-ebf6d4672a5f

📥 Commits

Reviewing files that changed from the base of the PR and between 6d74c24 and 1b8ac36.

📒 Files selected for processing (1)

• docs/agents/skills/bandscope-supply-chain-warning-remediation/SKILL.md

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/agents/skills/bandscope-supply-chain-warning-remediation/SKILL.md`:
- Line 24: The phrase "repo-owned" in the guidance conflates local actions and
external owner/repo@ref actions and could be read as exempting org-owned
owner/repo@ref from SHA pinning; update the sentence in SKILL.md to clearly
separate local actions (./github/actions or ./ path) which should be updated
in-place from any owner/repo@ref (including those maintained by your
organization) which must be upgraded to a maintained ref and pinned to an
immutable commit SHA; replace the ambiguous "repo-owned" wording with two
explicit rules referencing "./" for local actions and "owner/repo@ref" for
external refs and state SHA pinning applies to all non-local refs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7696747d-d9b5-4004-b1c0-fd24b13c8cba

📥 Commits

Reviewing files that changed from the base of the PR and between 1b8ac36 and 72e7f62.

📒 Files selected for processing (1)

• docs/agents/skills/bandscope-supply-chain-warning-remediation/SKILL.md

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/agents/skills/bandscope-supply-chain-warning-remediation/SKILL.md`:
- Line 24: The instruction about upgrading to a "maintained ref" is unclear
because it lacks criteria for what "maintained" means. Update the guidance in
the step mentioning "upgrade it to a maintained ref" by adding a clear
definition or criteria, such as "a ref that is actively released, receives
security patches, and supports the required Node.js runtime," to help developers
accurately identify appropriate action refs for upgrade.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: e86ec441-6188-493d-b4f8-6b135bb58f7e

📥 Commits

Reviewing files that changed from the base of the PR and between 72e7f62 and 36c2080.

📒 Files selected for processing (1)

• docs/agents/skills/bandscope-supply-chain-warning-remediation/SKILL.md